VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    :thumb:


    I don't know how ibuprofen clears a headache but I know it does!....I'm almost looking forward to a new worldwide attack so these guys have something new to litter these threads with:argh:
     
  2. guest

    guest Guest

    @Rasheed187 we have no evidences how the attacker managed to drop the exploit in the network. We just know that once inside, it indeed doesnt need user interaction for spreading, the question is how patient zero was infected. important aspect to me. What do you think?
     
  3. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    This appears to be a discussion between you and Rasheed, would you not be better taking this to pm?
     
  4. plat1098

    plat1098 Guest

    Rasheed: surely you saw this already but based on your linked finding-- it's not MRG, but.....

    it's a start, right? :) :thumb:
     
  5. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    490
    Location:
    UK
    What is being protected is what would otherwise not been protected had the offending end product been allowed to complete whatever it was designed to do.

    I installed VS to take care of this for me without having to do complicated settings.
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Amen! They are obviously not reading my posts anyway... otherwise they would realize that when rundll32.exe is blocked, the malicious payload is blocked, along with the associated backdoor hacker tools.

    Either way, the blocking or allowing of child processes of lsass.exe is CLEARLY demonstrated in my videos. All you have to do is either watch the video or run the test yourself.

    This should be an important lesson for everyone... do not argue with someone who has actually tested something and has seen it with their own eyes.

    You have two eyes and one mouth for a reason.

    I would LOVE MRG to test!!! Someone contact them asap please.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Yes, we are reading your posts, but we question if you're right about it. It's purely a technical discussion about "exploits and payloads", we don't question whether VS is effective or not. You say VS blocks the attack in stage 2, others say VS blocks it in stage 3. So either way, it would have blocked this specific attack.

    I have a better idea, we will take it to another thread. :D
     
  8. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    club ya beat me to it. They can just create a new thread and everybody else will stay out of it.
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    In ten minutes, I have a conference call with RS, and one of the guys that was able to adapt the attack to run on Windows 10, and to spawn a kernel level payload as a child process of the exploited windows process, will be on the call.

    My questions for him are simple (and these go far beyond our discussion):

    1. In your POC, did the exploit spawn a malicious payload of the exploited process? If so, did it run in the system space or the user space?

    2. Can the exploit be adapted so that spawning a payload is not required to sufficiently infect the machine?

    3. Can you run a quick test with VS to see if it is able to block the kernel level payload, while adequately protect the machine from infection?

    They obviously know this attack inside and out, since they have adapted it to run on Windows 10, and to skip the installation of the backdoor and run the payload directly. It will be interesting.

    I will post their response, then I will say no more.

    Oops, my bad, it is 2 hours from now ;).
     
    Last edited: Jun 7, 2017
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Great, the case is closed then.

    Please do not take this the wrong way... but it is a little frustrating arguing with someone who is not willing to test for themselves, so they can see for themselves.

    If CS has a response, I will respond to her, but I have wasted enough time with you, Pete and guest. Especially when you had the nerve to make a smart ass comment like "What the heck, are you guys still discussing?", when you were the one fanning the flames. You and guest just think it is fun to argue... well I do not. You also create posts on the AG thread that directly contradict your position on the VS thread. You are not fooling anyone, and you guys are not wasting any more of my time.
     
  11. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,820
    Location:
    Canada
    Great Dan, so you will finally have more time to develop VS which is the most important, right?:):):D
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, EXACTLY ;).
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    You're kidding me right? I don't see why all of a sudden you are getting so agitated. Seems like you completely misunderstood my whole point. I tried to explain that it's best to stop discussing this matter, because it's a bit of a silly discussion. That's why I was surprised that both you and guest were still writing quite extensive posts, and that's what I meant with my "smart ass" comment.

    And no, I'm not contradicting myself, I'm saying that AG would have probably not blocked this attack in ANY of the stages, while in the video you can clearly see that VS blocks it in stage 3. But you say it blocks it in stage 2 which is the in-memory loading of DP. So yes, the case is closed, and we will just have to agree to disagree, and let RS or MRG do some testing. And perhaps it will turn out you were right all along, and this would mean I clearly misunderstand how in-memory and file-less malware operate. No big deal, so it's best to cool down Dan. :thumb:
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am cool as cucumber ;). And we are all in agreement.

    In-memory / fileless attacks simply do not write to disk, in an effort to evade detection / EDR, etc. If you ask me, fileless attacks are less of a concern than the ones that do write to disk, except in the event that they are able to evade detection for an extended time period (this is the concern of in-memory / fileless attacks), and basically bounce around from endpoint to endpoint. In the EB / DP attack, it doesn't matter either way since the payload was blocked.

    This attack appears to be completely in-memory, but I would not know unless I spent the time to investigate. But I have not spent the time, simply because it would not change the outcome either way.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Exactly, and that's why it's such a hot topic, these type of attacks will try to bypass security tools. But like I said, perhaps I simply don't have enough knowledge about in-memory and file-less malware, and that's why I can't visualize your point of view, even after reading so many articles about this attack. So that's why I say, let others like MRG and RS step in, and hopefully then I will understand.
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yep, and that is why I am talking to RS today. The main things I am curious about are the questions that I listed above... this should tell us everything we need to know, or at least point the discussion in the right direction.

    It would be really cool if MRG would run the tests for us as well. I imagine they already know all about this conversation ;). And I already can guess what their response on VS would be... basically that while VS blocked the attack, there are a couple of things that we can improve on. And actually, I would have them fixed by now, but I think everyone knows why they are not ;). That is why I want to wrap up this conversation asap... besides the fact that it is getting really old.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Yes, hopefully RS and MRG will soon respond, no need to discuss any further. :thumb:
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I just finished my conversation with RS, and we will not know for sure until we test, but I think we are probably in great shape.

    Ultimately, the exploit needs to spawn a payload to do something interesting. They did, however say that it would be optimal to block the exploit, which I agree completely, but VS is not an anti-exploit utility. But keep in mind that the specialized anti-exploit tools had a difficult time as well with EB (especially when it was a zero day).

    In the end, VS did its "one job" of application control well, and without adding specialized anti-exploit capabilities, it did all it could do, or needed to do.

    They are in their busy season, but might have time to test in a few weeks.
     
  19. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    Good and once and when they give you the results you'll have an opportunity to ascertain if you feel the need to alter VS in anyway, far better than the endless speculation given over the past few weeks in this thread and others...Let's wait and see folks:thumb:
     
  20. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    835
    Location:
    UK
    Hi Dan,
    There are some here who like to scrutinise VS as to how it works in practise and whether it blocks the exploit or the payload etc etc. and that's fair enough.
    BUT you have to remember that most users aren't interested in all the techy stuff, they just want VS to do it's job effectively, - that's what matters to them.
     
  21. guest

    guest Guest

    For clarity:
    - An exploit doesn't need a payload to compromise a system, the exploit does it by itself.
    in our case, EB do it by itself; DP is a module loaded after EB to create a backdoor. EB is the big deal. Block EB the whole attack fails.

    - A classic malware need a payload, malware = container + payload

    Exact, AG Consumer don't block the exploit itself, it would only block further attacks delivered via the exploit if those landed in user-space.
    yes it is what i said since the beginning, Rasheed and me just want technical correctness. In my knowledge VS doesn't have memory protection (correct me if im wrong here) so how it can block in-memory attacks...:rolleyes:
    no need to investigte it is explained plenty:
    https://www.dearbytes.com/blog/playing-around-with-nsa-hacking-tools/
    https://www.exploit-db.com/docs/41896.pdf

    @VoodooShield honestly i don't see what MRG or RS will say differently, we have tons of articles and even your own videos to prove our point...you are the only one denying it
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,113
    Location:
    Among the gum trees
    Can someone PM me when this discussion has ended and we are back to talking about VoodooShield development, bugs and features only? I really am bored with WannaCry and its siblings.

    Thanks!
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    If that is the case, then why were the backdoor tools not available in the VS test?

    https://www.wilderssecurity.com/thr...-could-infect-windows-10.394550/#post-2682839

    You cannot claim that something succeeded when the one job it was supposed to do failed.

    Would it be even better to block EB? Of course it would... the sooner you can stop the attack, the better.

    But at least VS blocked the kernel level backdoor from being installed, so it did exactly what it was designed to do.
     
  24. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    38,700
    Location:
    U.S.A.
    OK, Enough! Thread Closed For Time Out For Now. If You Have An Issue With The Software, PM or Email the Developer!
     
  25. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    12,650
    Location:
    UK
    Thread re-opened now.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.